Charities Are Not Exempt from Cookie Laws
A common misconception among nonprofit organisations is that privacy regulations only target commercial businesses. The General Data Protection Regulation makes no distinction based on profit status. Article 2 of the GDPR states that the regulation applies to any entity processing personal data, whether a multinational retailer or a local food bank.
The same principle holds for cookie-specific rules. Article 5(3) of the ePrivacy Directive requires prior consent before storing or accessing information on a visitor's device, with only two narrow exceptions: the communication exemption and the strictly necessary exemption. Neither exemption covers analytics, advertising, or donation tracking cookies.
In the UK, the Privacy and Electronic Communications Regulations 2003 (PECR) mirrors this position. The ICO has been clear that all organisations, charities included, must obtain consent before setting non-essential cookies.
Which Cookies Do Charity Websites Typically Set?
Most nonprofit websites set more cookies than their operators realise. A typical charity site running Google Analytics 4, a donation platform, and social sharing buttons can easily set 15 to 30 cookies across several categories.
Here is a breakdown of common cookies found on charity websites:
| Cookie | Category | Purpose | Consent Required? |
|---|---|---|---|
PHPSESSID | Strictly necessary | Maintains server session | No |
pll_language | Functional | Stores language preference | Depends on implementation |
_ga | Analytics | Google Analytics visitor ID | Yes |
_ga_* | Analytics | GA4 session tracking | Yes |
_fbp | Marketing | Meta Pixel tracking | Yes |
__stripe_mid | Functional / Analytics | Stripe fraud detection | Context-dependent |
NID | Marketing | Google advertising preferences | Yes |
Payment processors such as Stripe and PayPal set their own cookies for fraud prevention. Some of these qualify as strictly necessary when directly tied to a transaction. Others, particularly those used for behavioural analysis, do not.
Donation Tracking and the Consent Question
Charities rely on conversion tracking to measure donation campaign effectiveness. A Meta Pixel on a donation thank-you page, a Google Ads conversion tag, or a fundraising platform's built-in analytics all set cookies that require prior consent under GDPR and PECR.
This creates a tension. Without tracking, charities cannot attribute donations to specific campaigns, making it harder to allocate limited marketing budgets. With tracking, they need a consent mechanism that some donors may dismiss or reject.
The practical solution is twofold. First, use server-side tagging or the platform's server-side conversion API (such as Meta's Conversions API) to reduce reliance on client-side cookies. Second, implement a clear, honest cookie banner that explains why tracking matters for the charity's mission.
Analytics Without Full Consent: What Are the Options?
Charities concerned about losing analytics data when visitors decline cookies have several paths forward.
Privacy-preserving analytics tools such as Plausible and Fathom operate without setting cookies at all. They provide aggregate traffic data, page views, and referral sources without collecting personal data. For many small charities, this level of insight is sufficient.
Google Analytics 4 offers consent mode, which uses statistical modelling to estimate conversions when users decline tracking. The modelled data fills some of the measurement gap, though accuracy varies depending on traffic volume and consent rates.
A third option is to rely on first-party data that donors voluntarily provide - email addresses, survey responses, and direct feedback. This zero-party data approach aligns well with the trust-based relationship charities cultivate with supporters.
The UK Data Use and Access Act: New Rules for Charities in 2026
UK-based charities should pay close attention to the Data (Use and Access) Act, which introduced a significant change for the sector. From 5 February 2026, charities can use the "soft opt-in" exemption for email and text marketing to existing supporters. Previously, this exemption was limited to commercial organisations.
This does not change cookie consent rules. The soft opt-in applies to direct marketing communications, not to website cookies or tracking technologies. A charity still needs prior consent before setting _ga or _fbp on a visitor's browser, regardless of whether that visitor is an existing donor.
Charities also cannot use the soft opt-in to promote products or services, even if profits go back to the charity.
Enforcement: Are DPAs Actually Fining Charities?
Data protection authorities have not made charities a primary enforcement target, but they have not granted blanket immunity either. The Norwegian Data Protection Authority fined the Norwegian Confederation of Sport EUR 125,000 after inadequate testing exposed personal data of over three million individuals, including nearly half a million minors.
The ICO has issued enforcement notices and reprimands to UK charities for various data protection failings. While most cookie-related enforcement has focused on large commercial websites, the ICO's 2025 review of the UK's top 1,000 websites signalled a broader compliance push that could extend to high-traffic charity sites.
Smaller charities face a different risk: reputational damage. A donor who sees their data mishandled is unlikely to contribute again. Transparent cookie consent practices build trust with the very audience charities depend on.
What a Compliant Charity Cookie Banner Looks Like
A charity's cookie banner should follow the same principles as any other organisation's banner, with a few considerations specific to the sector.
The banner must offer a genuine choice. That means a clearly visible reject option alongside the accept button, with no dark patterns such as hidden decline links or colour manipulation. The EDPB and CNIL have made clear that button parity is expected.
Cookie categories should be labelled in plain language. Rather than "performance cookies", say "cookies that help us understand how visitors use this site". Category descriptions should explain purpose, not just use technical jargon.
For multilingual charity websites serving international communities, the banner should appear in the visitor's language. Kukie.io supports automatic translation and localisation, which helps charities with a global supporter base present consent information clearly.
Practical Steps for Nonprofit Cookie Compliance
Start with a cookie audit. Run an automated scan of your website to identify every cookie and tracking technology in use. Many charities discover cookies they did not know existed, often set by third-party plugins, embedded maps, or social sharing widgets.
Classify each cookie into the correct category: strictly necessary, functional, analytics, or marketing. Only strictly necessary cookies may fire without consent.
Implement a consent management platform that blocks non-essential cookies until the visitor makes a choice. Kukie.io's script blocking and geo-detection features handle this automatically, applying the correct legal framework based on the visitor's location.
Document your cookie processing in a clear cookie policy that lists each cookie by name, purpose, provider, and duration. Link to this policy from your banner.
Frequently Asked Questions
Do charities need cookie consent under GDPR?
Yes. GDPR applies to all organisations processing personal data of EU residents, regardless of profit status. The ePrivacy Directive also requires prior consent for non-essential cookies on any website, including charity sites.
Are donation page cookies strictly necessary?
Session cookies that maintain a donation transaction in progress (such as PHPSESSID) can qualify as strictly necessary. Tracking cookies used to measure donation campaign performance, such as _ga or _fbp, require consent.
Can a charity use Google Analytics without a cookie banner?
No. Google Analytics sets cookies like _ga that count as non-essential under both GDPR and PECR. A consent mechanism must be in place before these cookies are set. Alternatives like Plausible or Fathom can run without cookies.
Does the UK soft opt-in exemption apply to cookies?
No. The Data (Use and Access) Act 2025 extended the soft opt-in to charity email and text marketing, but this exemption does not cover website cookies or tracking technologies. Cookie consent rules under PECR remain unchanged.
What happens if a charity ignores cookie consent rules?
DPAs can issue fines, enforcement notices, or reprimands. Beyond financial penalties, non-compliance risks damaging donor trust, which for charities is often more costly than any fine.
How can a small charity afford cookie compliance?
Free and low-cost consent management tools exist. Running a free cookie scan identifies what your site sets, and a basic consent banner can be configured without developer resources. Kukie.io offers a free tier suitable for smaller websites.
Take Control of Your Cookie Compliance
If you are not sure which cookies your charity website sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your supporters get a clear choice, and your organisation stays on the right side of the law.
